EventTracker: Upgrade Guide

Transcription

1 Upgrade To v7.2 Prism Microsystems 8815 Centre Park Drive Publication Date: February 20, 2012 Columbia MD U.S. Toll Free: (+1) (+1)

2 What s New in EventTracker Introduction The purpose of this document is to help users in upgrading EventTracker Enterprise existing versions to a newer release, and to verify the expected functionality and performance of all its components. If you encounter any problems during upgrade process, please contact support team to get quick and thorough instructions. Technical Support Contact Details: Toll Free: ext. 2 Phone: ext. 2 Fax: support@prismmicrosys.com Audience: It is incumbent upon all users of EventTracker v.6.4 b50, v.7.0, and v.7.1 who wish to upgrade to v7.2 Enterprise. Prism strongly recommends that you read the entire document thoroughly before you begin the upgrade process. For the user s convenience, this document is separated in two parts: Upgrade- Quick View and Upgrade- Detailed View. Upgrade- Quick view is written for the system administrators or the experts who are familiar with EventTracker Enterprise and upgrade process. It is presumed that the user of this section has enough knowledge of system and configuration process. Upgrade- Detailed View is meant for the EventTracker users who are upgrading their EventTracker Version for the first time. In this section, upgrade process is explained with the help of GUI. Before you upgrade: 1. Thoroughly read the EventTracker Architecture guide. This guide explains the architecture and sample deployment methods with illustrations Contact support@prismmicrosys.com for information regarding license keys or license certificates. *IMPORTANT: Users of versions 5.x and below contact support@prismmicrosys.com for complete and thorough instructions. Prism Microsystems, Inc. 1

3 What s New in EventTracker Contents What s New in EventTracker... 3 What s New in EventTracker version 7.2?... 3 Changes and Bug Fixes in EventTracker v What s New in EventTracker version 7.1?... 5 Prerequisites... 6 Planning... 6 Upgrade - Quick View... 7 Upgrading from v6.4 b50 to v7.2 Enterprise... 8 Upgrading from v7.0 to v7.2 Enterprise Upgrading from v7.1 to v7.2 Enterprise Upgrading from v7.2 (Build 38) to v7.2 (any build) Upgrading from v6.4 b50 to v7.2 Enterprise Upgrading from v7.0 to v7.2 Enterprise Upgrading from v7.1 to v7.2 Enterprise Upgrading from v7.2 (Build 38) to v7.2 (any build) Configuring Service Accounts Prism Microsystems, Inc. 2

4 What s New in EventTracker What s New in EventTracker This section will take you through the changes made in the EventTracker versions. What s New in EventTracker version 7.2? 1. Enhanced Windows agent DLA feature and added a send as SYSLOG option and send via FTP/SFTP options. 2. Introducing a LITE version of the product that can be used in situations where only EventTracker Windows agent functionality is required and these agents can send the events (as SYSLOG's) to any third party Log receiver 3. Indexing feature has been enhanced for faster searching and more optimized storage 4. The internal limit for number of VCP's (which was 10 Windows & 10 SYSLOG) has been removed. Based on the system capacity (Disk, RAM, CPU, etc) any number of VCP's can be added 5. New report added to help track all EventTracker configuration changes that have been made 6. MSI provided for installing EventTracker Agent and Change Audit Agent 7. StatusTracker feature enhanced and integrated into the product. New report also added to view StatusTracker information. 8. EventVault Explorer feature enhanced and integrated. 9. Compliance Dashboard added 10. Acknowledge/Notes option added in incidents page & report to track them 11. Provided a simple right click option to create an alert from the selected event. 12. Added a visual Correl rule builder. 13. Added an On-Demand Correl report. 14. Option to save agent Config to separate file and to retrieve agent Config info from these files. 15. Fine tuned key word indexing to get more benefit in reports & log search. 16. Option to display may category to any of the tabs, namely, Operations, Compliance or Security. 17. Agent Management tool enhancements. 18. Option provided in diagnostic dashlet to start/stop/restart a service. 19. Agent upgrade feature enhanced to list agent version details and also added check to prevent upgrade of incompatible versions. 20. Support for SQL Server. 21. SCAP Benchmark Profile editor. 22. Option to manage change audit agent from the manager. 23. Option to see the keyword statistics in log search sorted by occurrence/name. 24. DLA mode support, task/severity map changes for VMWARE events. Prism Microsystems, Inc. 3

5 What s New in EventTracker Changes and Bug Fixes in EventTracker v All patches released for v7.1 are included in v Resolved the problem with providing long report names for HTML reports. 3. Provided quick search options in most tabs to help users locate selections. 4. Added checks to prevent accidental upgrades of incompatible agents. 5. Fix for error when special chars are entered during alert configuration. 6. Fix for the display of blank system tree while editing a report with "All systems" selected. 7. Fix for invalid EventTracker links in RSS feeds for reports. 8. Fix for the issue where some of the events were getting missed in DLA mode from vista agent. 9. Facility to import/delete custom list of systems in Export Import Utility. 10. To allow manual configuration in EventVault storage path. 11. Adding custom data import feature for Systems/Groups. 12. Fix for wrong IP address validation in StatusTracker. 13. Recipients name is getting truncated in s generated for alerts. 14. Fix for CAB transfer failures due to initialization failure of CP. 15. Fix for EventTracker Diagnostics performance issues. 16. Fix for TCP connection issues due to incomplete message header during DLA file transfer. 17. Fix for Agent DLA file transfer failures and EventVault failures in processing left over CAB files. 18. Fix for issue where mails are quarantined by gateway due to the wrong MIME format. 19. Fix for LogFileParser crash while processing Netflow logs. 20. Fix for synchronization issues with Collection Point configuration database Prism Microsystems, Inc. 4

6 What s New in EventTracker What s New in EventTracker version 7.1? EventTracker v7.1 (Build 52) 1. Filter Event id(s) and Event Source(s) when generating a report/analysis. 2. Configurable option to show/hide the statistics & graph display in log search page. 3. Custom data feature for system selection in EventTracker Agent Management Tool. 4. Facility to import/delete custom list of systems in Export Import Utility. EventTracker v7.1 (Build 38) 1. DLA-Extensions (Other File Transfer Option) 2. Reading SQL DB Trace logs via DLA 3. Reading EVTX log files in DLA 4. CD/DVD monitoring (only Windows Explorer) 5. CP-CM to transfer index info files. 6. Standalone utility for analyzing event traffic from eventlog (enhanced GetAllEvt). 7. Change Audit, Change Assessment and Configuration Assessment dashlets added. 8. WebSlice for Alerts added. 9. Diagnostic/Application information dashlets 10. Smart Card reader 11. Extending CP-CM Data transfer for V7 features, changes done in Log Search page to provide a drop down to show the list of CPs. 12. New categories for StatusTracker audit events. Prism Microsystems, Inc. 5

7 Prerequisites Prerequisites Before you begin with the upgrade process, please follow this checklist and make sure that you have all the components in place to perform a successful upgrade. The most effective upgrade method is to first export all the custom settings using Export Import Utility, install the new version, and then import the custom settings. There is no need to export all policy settings since all the Categories included in any prior versions have been retained. The recommended method is to first upgrade the Manager, validate all its functionality, next upgrade the Agents, and lastly verify the performance. Planning This section gives you a rough estimation of time required for upgrading as well as monitoring the successful upgrade. It might take minutes for you to read this document and to complete the upgrade process gracefully. You will also require spending a few minutes the following day after the upgrade, to verify all your Scheduled Reports are being generated. If any reports fail to generate, then please read the Validation section at the end of this document. Prism Microsystems, Inc. 6

8 Upgrade - Quick View Upgrade - Quick View In this section, you can get quick insight into Upgrade process, Upgrade from v6.4 b50 to v7.2 Enterprise Upgrade from v7.0 to v7.2 Enterprise Upgrade from v7.1 to v7.2 Enterprise Prism Microsystems, Inc. 7

9 Upgrade - Quick View Upgrading from v6.4 b50 to v7.2 Enterprise Before you start with the upgrade process 1. Verify that all the prerequisites described above have been satisfied. 2. Backup all custom Categories, Alerts (Please check the Export Settings check box), Filters, Scheduled Reports and RSS Feeds using Export Import Utility. 3. Close/terminate all the EventTracker components like Management console and Reports console, including RDP (Remote Desktop Protocol) sessions. 4. Note down the custom changes you have made in the Trusted List (Agent Configuration -> Network Connection Monitor -> Suspicious Traffic Only (SNAM) -> Trusted List). Upgrade Procedure 1. Uninstall the existing version by retaining old configuration and data. 2. Restart the EventTracker manager server or system. 3. Install EventTracker v7.x Enterprise. 4. Configure the service accounts, if the archives/reports are stored in the network path. 5. Using Export Import Utility, import all the custom Categories, Alerts, Filters, Scheduled Reports and RSS Feeds. 6. Verify that the Categories, Alerts, Filters, Legacy Reports and RSS Feeds are intact. 7. Upgrade all agents using the System Manager. 8. Update the Trusted List with the changes you have noted down earlier. Post Upgrade Process By default, EventTracker sets the threat level of alerts imported from v6.4 as Undefined. You need to set the Threat level explicitly as per your requirement. To set the Threat Level, 1. Open EventTracker Enterprise. 2. Click the Admin hyperlink, and select Alerts. EventTracker displays Alert Management page. 3. Click the alert name to be modified. 4. EventTracker displays Alert Configuration page. 5. Select the threat level from Threat Level dropdown. 6. Click the Finish button. EventTracker saves the configuration settings. Prism Microsystems, Inc. 8

10 Upgrade - Quick View NOTE: Upgrade process for v6.4 to v7.0/7.1/ v7.2 (any build) is same as described. For v6.4 to v7.2 upgrade, if Keyword Indexing is installed and enabled, then launch the keyword Indexing file migration utility. For CM and CP set up, please upgrade CM (Collection Master) first, and then upgrade CP (Collection point). For agent upgrade details, please click here. Prism Microsystems, Inc. 9

11 Upgrade - Quick View Upgrading from v7.0 to v7.2 Enterprise Before you start with the upgrade process Verify that all the prerequisites described above have been satisfied. If you have incorporated your company logo into EventTracker, then take a backup of.jpg file of your company logo before uninstalling the EventTracker. You need to replace the backed up image file after installing EventTracker Enterprise. Close/terminate all the EventTracker components like EventTracker Enterprise, EventTracker Control panel, including RDP (Remote Desktop Protocol) sessions. Upgrading from v7.0 to v Uninstall the existing version by retaining old configuration and data. 2. Restart the EventTracker manager server or system. 3. Install EventTracker v Configure the service accounts, if the archives/reports are stored in the network path. 5. Verify that the Categories, Alerts, Filters, Scheduled Reports and RSS Feeds are intact. 6. Upgrade all windows agents using the System Manager. NOTE: Upgrade process for v7.0 to v7.1 or v7.2 (any build) is same as described. For CM and CP set up, please upgrade CM (Collection Master) first, and then upgrade CP (Collection point). For agent upgrade details, please click here. The custom image files like.jpg or.png in the EventTrackerWeb folder will not be retained after the upgrade. You need to take a backup of those files. Prism Microsystems, Inc. 10

12 Upgrade - Quick View Upgrading from v7.1 to v7.2 Enterprise Before you start with the upgrade process Verify that all the prerequisites described above have been satisfied. If you have incorporated your company logo into EventTracker, then take a backup of.jpg file of your company logo before uninstalling the EventTracker. You need to replace the backed up image file after installing EventTracker Enterprise. Close/terminate all the EventTracker components like EventTracker Enterprise, EventTracker Control panel, including RDP (Remote Desktop Protocol) sessions. Upgrading from v7.1 to v Uninstall the existing version by retaining old configuration and data. 2. Restart the EventTracker manager server or system. 3. Install EventTracker v Configure the service accounts, if the archives/reports are stored in the network path. 5. Verify that the Categories, Alerts, Filters, Scheduled reports and RSS Feeds are intact. 6. Upgrade all windows agents using the System Manager. 7. Run KeywordMigration.exe file. NOTE: For v7.1 to v7.2 upgrade, if Keyword Indexing is installed and enabled, then launch the keyword Indexing file migration utility. For CM and CP set up, please upgrade CM (Collection Master) first, and then upgrade CP (Collection point). For agent upgrade details, please click here. The custom image files like.jpg or.png in the EventTrackerWeb folder will not be retained after the upgrade. You need to take a backup of those files. Prism Microsystems, Inc. 11

13 Upgrade - Quick View Upgrading from v7.2 (Build 38) to v7.2 (any build) The procedure to upgrade from v7.2 (build 38) to v7.2 (any build) is same like upgrading from v7.1 to v7.2. Prism Microsystems, Inc. 12

14 In this section, you will learn upgrade process in detail. Upgrade from v6.4 b50 to v7.2 Enterprise Upgrade from v7.0 to v 7.2 Enterprise Upgrade from v7.1 to v7.2 Enterprise Prism Microsystems, Inc. 13

15 Upgrading from v6.4 b50 to v7.2 Enterprise Before you start with the upgrade process: Creating Backup of the Configuration Data and Reports: In order to retain the configuration data and report of existing version, you need to create backup for all custom Categories, Alerts, Filters, Scheduled reports, and RSS Feeds. This section will help you in creating backup files. 1. Open the EventTracker Management Console. 2. Click the Tools menu, and click Import and Export Utility. Figure 1: EventTracker Manager Console >> Tools tab EventTracker displays Export-Import Utility window. 3. Select the Category option, if not selected by default. 4. From the Categories field, select the EventTracker categories to be exported, and click the Add button. (Example: My Category). Prism Microsystems, Inc. 14

16 Figure 2: Category OR Click Add All button to select all the categories. 5. Click the Export button. EventTracker displays Select Export File window. Figure 3 6. Click Save in dropdown to select the file location, enter the File name, and click the Save button. EventTracker displays confirmation message box. Prism Microsystems, Inc. 15

17 7. Click the OK button. Figure 4 8. Select the Filters option, and click the Export button. Figure 5: Filters EventTracker displays Select Export File window. 9. Select the file location, enter file name, and click the Save button. EventTracker displays confirmation message box. 10. Click the Alerts option, 11. Click the Export Settings checkbox. 12. From the Alerts field, select the alerts to be exported, and click the Add button. (Example: My Alerts) Prism Microsystems, Inc. 16

18 OR Click Add All button to select all the Alerts. 13. Click the Export button. Figure 6: Alerts EventTracker displays Select Export File window. 14. Click Save in dropdown to select the file location, enter the file name, and click the Save button. EventTracker displays confirmation message box. 15. Click the OK button. 16. Click the Scheduled Reports, click the Export without System names box, and then click the Export button. Prism Microsystems, Inc. 17

19 EventTracker displays Select Export File window. Figure 7: Scheduled Reports 17. Click Save in dropdown to select the file location, enter the file name, and click the Save button. (Example: My Reports) EventTracker displays confirmation message box. 18. Click the OK button. If there are no scheduled reports present in the database then EventTracker will display the information message. Figure Click the RSS Feeds option, and click the Export button. Prism Microsystems, Inc. 18

20 Figure 9: RSS Feed EventTracker displays Select Export File window. 20. Click Save in dropdown to select the file location, enter the file name, and click the Save button. (Example: RSS Feed) EventTracker displays confirmation message box. 21. Click the OK button. If there are no RSS feeds present in the database then EventTracker displays an information message. Figure Click the Close button, to close the Export Import Utility window. Note down the list of Trusted Connections Note down the custom changes you have made in the Trusted List. This option will help you to get the Trusted list details. 1. Click Start > Programs > Prism Microsystems > Select EventTracker > and click EventTracker Control Panel. EventTracker displays EventTracker Control Panel. Prism Microsystems, Inc. 19

21 2. Click Agent Configuration icon. Figure 11: EventTracker Control Panel Figure 12: Agent Configuration Window By default, EventTracker displays Managers tab. 3. Click Network Connection Monitor tab, select Suspicious Traffic Only (SNAM) option, and click the Trusted List button. EventTracker displays Trusted Connections List pop-up window. Prism Microsystems, Inc. 20

22 Figure 13: Trusted Connection List 4. Note down the custom changes you have done in the list. Close/terminate all the EventTracker Components Before you start with upgrade, it is very crucial to close/terminate all the EventTracker components present in the system, like Management Console, Report Console, and even RDP (Remote Desktop Protocol) session. During uninstall, If any of the EventTracker components is open then EventTracker asks you to close the program. Figure 14 Close the open components, and then click the Retry button. EventTracker resumes uninstall process. Prism Microsystems, Inc. 21

23 Upgrade Procedure: Step 1: Uninstall the version 6.4 b 50 by retaining old configuration and data. 1. Click Start > Select Settings > click Control Panel > click Add or Remove Programs > Select EventTracker > Click the Remove button. Control Panel displays the confirmation message. OR Figure 15 Click Start > select Programs > select Prism Microsystems > select EventTracker > click Uninstall EventTracker EventTracker displays the confirmation message. 2. Click the Yes button. EventTracker starts the uninstall process. Figure 16 Figure 17 EventTracker displays, Uninstall EventTracker confirmation pop up window. Prism Microsystems, Inc. 22

24 3. Click the No button. Figure 18 EventTracker displays Uninstall EventTracker pop up window. Figure 19 By default, the checkboxes are selected. Keep the default selection to retain the data, reports, and configurations. 4. Click the OK button. Step 2: Restart the EventTracker manager server or System. 1. Close all the open applications on the desktop. 2. Click Start > click Shut Down >> Select the Restart option from the dropdown >> click the OK button. Step 3: Install EventTracker v7.2 Enterprise For the details about Installation process, please refer EventTracker v7.2 Enterprise Installation Guide. Link: %20Guide.pdf Prism Microsystems, Inc. 23

25 NOTE: Figure 20 For v6.4, EventTracker uses MS Access database, and uses SQL database for v7.2. Before upgrade, you need to migrate the database from MS Access to SQL database. For this purpose, a Migration Utility will appear while installing v7.2 (See figure 20). This utility will migrate EventVault path, Install path, SMTP port, VCP port details etc. to new SQL database. If you have more than one SQL database instances, then you can select the required instance from the Server dropdown, and then click the Next>> button to proceed migration. Figure 21 After a successful migration process, EventTracker displays a Status: Migration Success message. Click the Finish button go back to the EventTracker installation process. Prism Microsystems, Inc. 24

26 Step 4: Configure the service accounts, if the archives/reports are stored in the network path. Click here to read Configure the service accounts section. Step 5: Import all the custom Categories, Alerts, Filters, Scheduled reports and RSS Feeds After successful EventTracker Enterprise installation, you need to import the custom categories, Alerts, Filters, Scheduled reports and RSS Feeds, which you have exported from EventTracker v Click Start > Programs > Prism Microsystems > EventTracker > and click EventTracker Control Panel. EventTracker displays EventTracker Control Panel. Figure 22: EventTracker Control Panel 2. Click Export Import Utility icon. EventTracker displays Export Import Utility window. 3. Click the Import tab. Prism Microsystems, Inc. 25

27 4. Click Category (If not selected). Figure 23: Category 5. Click the browse button, select the location of the file, and click the Open button. 6. Click the Import button. EventTracker displays Export Import Utility pop up window. 7. Click the OK button. 8. Select the Filters option. Figure Click the browse button, select the location of the file, and click the Open button. 10. Click the Import button. EventTracker displays Export Import Utility pop up window. Prism Microsystems, Inc. 26

28 11. Click the OK button. 12. Click the Alerts option. Figure 25 Figure 26: Alerts 13. Select Import settings checkbox, if not selected. 14. In the Set Active pane, select the appropriate option. 15. Click the browse button, select the location of the file, and click the Open button. 16. Click the Import button. EventTracker displays Export Import Utility pop up window. 17. Click the OK button. 18. Select the RSS Feeds option. Figure 27 Prism Microsystems, Inc. 27

29 Figure 28: RSS Feeds 19. Click the browse button, select the location of the file, and click the Open button. 20. Click the Import button. EventTracker displays Export Import Utility pop up window. 21. Click the OK button. 22. Select the Scheduled Reports option. Figure 29 Prism Microsystems, Inc. 28

30 Figure 30: Scheduled Reports 23. Click the browse button, select the location of the file, and click the Open button. 24. Click the Import button. EventTracker displays Export Import Utility pop up window. 25. Click the OK button. 26. Click the Close button. Figure 31 Step 6: Verify that the imported Categories, Alerts, Filters, Legacy reports and RSS Feeds are intact. Verify Category: 1. Log on to EventTracker Enterprise. 2. Click the Admin hyperlink, and click Category. EventTracker displays Category Management Page. 3. Search for the imported custom category under Category Tree tab. In addition, you can find the custom category on the right side of the page, in Last 10 modified categories list. Prism Microsystems, Inc. 29

31 Example: My Category OR Figure 32: Category Management Click the Search tab, enter the category name in the Search field, and then click the Go button. Figure 33 Prism Microsystems, Inc. 30

32 Verify Alerts: 1. Click the Admin hyperlink, and click Alerts. EventTracker displays Alert Management page. Figure 34: Alert Management 2. Enter the alert name in Search Field, and click the Go button. Figure 35 In addition, you can make use of scroll bar to find alerts and the page numbers provided at the top and bottom of Alert Management page. Prism Microsystems, Inc. 31

33 Verify Filters: 1. Click the Admin hyperlink, and click Event Filters. EventTracker displays Event Filters page. The newly imported filters are listed in this page. Figure Click the filter name to see the imported filter details. EventTracker displays Event Filter configuration page. Figure 37: Event Filter Configuration Prism Microsystems, Inc. 32

34 Verify Generated Reports: Upon upgrade to version 7.x, the successfully generated reports from version 6.4 can be viewed in "Legacy Reports" present under the Tools menu. Using Export Import utility you can import the report configurations (of version 6.4) to continue the report generation process in the scheduled time. The report configurations can be seen under the respective reports/analysis tab. 1. Click the Tools dropdown, and click Legacy Reports. EventTracker displays Legacy Reports dialog box. Figure 38: Legacy Reports 2. Expand Legacy Reports folder, and click Scheduled. Here you will get to see the list of successfully generated reports from version 6.4. Figure 39 Prism Microsystems, Inc. 33

35 Verify RSS Feeds: 1. Click the Admin hyperlink, and then click the RSS. EventTracker displays RSS Feeds page. The newly imported RSS feeds are listed in this page. Figure 40: RSS Feeds Step 7: Upgrade all agents using the System Manager. EventTracker agent upgrade is necessary to keep the agents up to date with the manager system. 1. Log on to EventTracker Enterprise. 2. Click the Admin hyperlink, and select Systems. EventTracker displays System Manager page. 3. Right click the desired domain/group name, and select Upgrade agent. Figure 41: System Manager EventTracker displays Upgrade Remote Agent(s) pop-up window. Prism Microsystems, Inc. 34

36 OR Figure 42: Upgrade Agent Move the cursor on the remote systems name (where the agent is installed), click the dropdown arrow, and select Upgrade Agent. Figure 43: Upgrade Agent EventTracker displays Upgrade Remote Agent(s) pop-up window. Prism Microsystems, Inc. 35

37 Figure Choose the agent(s) to be upgraded by selecting checkbox, and click the Next button. Figure Select Windows Domain Network option, and fill in the user credentials, Prism Microsystems, Inc. 36

38 OR Figure 46 Select the Upgrade over IP (Non-Windows Domain) option. Figure Select Install default Remedial Action EXEs on this system checkbox. EventTracker displays confirmation message. Figure Click the OK button, and click the Upgrade button. Prism Microsystems, Inc. 37

39 EventTracker displays information message. 8. Click the OK button. EventTracker displays System Status screen. Figure Click the refresh button, to see the latest status. Figure 50: System Status NOTE: It may take some time to load the status. Figure 51 Prism Microsystems, Inc. 38

40 Step 8: Update Trusted list In v6.4, if you have made any changes in Trusted Connection List then you need to update the same in v7.1 Trusted connection List. This option will help you to update the trusted connection list. 1. Log on to EventTracker Enterprise. 2. Click the Admin hyperlink, select Windows Agent Config, and select the Network Connection Monitor tab. 3. Click Suspicious Traffic Only (SNAM) option, and click the Trusted List button. EventTracker displays Trusted Connections List pop-up window. Figure 52: Trusted Connection List 4. Click the New button, fill in the appropriate credentials, and then click the Ok button. Figure 53 The updated details will appear in Trusted Connection List. Prism Microsystems, Inc. 39

41 Figure 54 NOTE: You can also find the Trusted Connection List details in spmconfig.ini file. The file is saved under: Program Files\Prism Microsystems\EventTracker\Agent\spmConfig.ini. If Keyword indexing is installed and enabled, launch the keyword indexing file migration utility. The keyword Indexer folder is restructured. To put the old indexed files into the new structure, KeywordMigration.exe utility file has been provided along with build 7.2. This utility migrates the existing keyword files to new structure. The path for utility file is: <Install folder>\eventtrackerweb\bin\keywordmigration.exe In EventTracker Control Panel >> EventTracker Agent Configuration >> Event Filters tab, Information and Audit Success event types are unchecked by default. Select the Information and Audit Success checkboxes in order to filter large number of Information and Audit Success events. Agent upgrade: While upgrading the Remote agent, make sure to select the appropriate configuration file containing the port that was previously configured in v6.4. I. Click the Advanced button. EventTracker displays Upgrade Remote Agent(s) pop-up window. Prism Microsystems, Inc. 40

42 II. Select Custom Config option. Figure 55 III. Select the required.ini file from the File dropdown. IV. Click the Upgrade button. Example: In v6.4, if the agent is deployed in a port (Ex ) then during upgrade, select etaconfig_14575.ini file from the file dropdown. *This is also applicable for v7.0/v7.1 to v7.2 For further configuration changes, please contact the PRISM support team. Prism Microsystems, Inc. 41

43 Post Upgrade Process: By default, EventTracker sets the Threat level of alerts imported from v6.4 as Undefined. Figure 56: Alert Management You need to explicitly set the threat level as per your requirement. To set the threat level, 1. Open EventTracker Enterprise. 2. Click the Admin hyperlink, and select Alerts. EventTracker displays Alert Management page. (See Figure 56) 3. Click the alert name to be modified. EventTracker displays Alert Configuration page. (See Figure 57) Figure 57: Alert Configuration 4. Select the threat level from Threat Level dropdown. 5. Click the Finish button. EventTracker saves the configuration settings. Prism Microsystems, Inc. 42

44 Upgrading from v7.0 to v7.2 Enterprise Before you start with the upgrade process: Take a backup of VCP *.ini files If the VCP ports have been created, then before performing an upgrade from EventTracker v7.0 (any build) to v7.2 (any build), take a backup of the *.ini files (example: etaconfig_14580.ini) which are present in the RemoteInstaller folder. To take a backup of the VCP *.ini files: 1. Open <install dir>\ EventTracker\RemoteInstaller, and copy the VCP *.ini files. 2. Save the.ini files into some other location. 3. Once the EventTracker uninstallation is finished, copy and paste the VCP *.ini files saved earlier to the <install dir>\ EventTracker\RemoteInstaller folder. 4. After the successful upgrade, verify if the restored.ini files are reflecting in the Upgrade Remote Agent(s) >>Custom Config option >> File dropdown. Upgrade Procedure: Step 1: Uninstall EventTracker version Click Start > Settings > Control Panel > Add or Remove Programs > EventTracker > and click the Remove button Control Panel displays the confirmation message. OR Figure 58 Click Start > Programs > Prism Microsystems > EventTracker > and click Uninstall EventTracker EventTracker will display the confirmation message. Prism Microsystems, Inc. 43

45 Figure Click the Yes button. EventTracker starts uninstall process and displays Uninstall EventTracker confirmation pop up window. Figure 60 By default, EventTracker selects the data and configuration files to be retained. Keep the default selection as it is. Step 2: Restart the EventTracker Manager Server or System 1. Close all the open applications on the desktop. 2. Click Start > click Shut Down 3. Select the Restart option from the dropdown, and then click the OK button. Step 3: Install EventTracker v7.2 Enterprise. For the details Installation process, please refer EventTracker v7.2 Enterprise Installation Guide. Link: tion%20guide.pdf Step 4: Configure the service accounts, if the archives/reports are stored in the network path. Click here to read Configure the service accounts section. Prism Microsystems, Inc. 44

46 Step 5: Verify that the imported Categories, Alerts, Filters, Scheduled Reports and RSS Feeds are intact Verify Category: 1. Log on to EventTracker Enterprise. 2. Click the Admin hyperlink, and click Category. EventTracker displays Category Management Page. 3. Search for the imported custom category under Category Tree tab. In addition, you can find the custom category on the right side of the page, in Last 10 modified categories list. Example: My Category OR Figure 61 Category Click the Search tab, enter the Category name in Search field, and then click the Go button. Prism Microsystems, Inc. 45

47 Figure 62 Verify Alerts: 1. Click the Admin hyperlink, and click Alerts. EventTracker displays Alert Management page. Figure 63 Alert Management 2. Enter the Alert name in Search Field, and then click the Go button. Example: My Alert Prism Microsystems, Inc. 46

48 Figure 64 To find Alerts in the list, you can make use of scroll bar and the page numbers provided at the bottom of Alert Management page. Verify Filters: 1. Click the Admin hyperlink, and click Event Filters. EventTracker displays Event Filters page. The newly imported filters are listed in this page. Example: My Filter Figure Click the Filter name to see the imported filter details. EventTracker displays Event Filter configuration page. Prism Microsystems, Inc. 47

49 Figure 66: Event Filter Configuration Verify RSS Feeds: Click the Admin hyperlink, and then click the RSS. EventTracker displays RSS Feeds page. The newly imported RSS Feeds are listed in this page. Example: New Feeds Figure 67: RSS Feeds Step 6: Upgrade all Windows Agents using the System Manager EventTracker Agent upgrade is necessary to keep the agents up to date with the manager system. 1. Log on to EventTracker Enterprise. 2. Click the Admin hyperlink, and select Systems. EventTracker displays System Manager Page. 3. Right click the desired domain/group name, and select Upgrade agent. Prism Microsystems, Inc. 48

50 Figure 68: System Manager EventTracker displays Upgrade Remote Agent(s) pop-up window. OR Figure 69:Upgrade Agent Move the cursor on the remote systems name (where the agent is to be installed), click the dropdown arrow, and select Upgrade Agent. Prism Microsystems, Inc. 49

51 Figure 70: Upgrade Agent EventTracker displays Upgrade Remote Agent(s) pop-up window. Figure Select checkbox next to the remote system where the agent is to be upgraded, and click the Next button. Prism Microsystems, Inc. 50

52 Figure 72 NOTE: To upgrade change audit agent, select the checkbox in the Change Audit column. Figure Select Windows Domain Network option, and fill in the user credentials, Prism Microsystems, Inc. 51

53 OR Figure 74 Select the Upgrade over IP (Non-Windows Domain) option. Figure Select Install default Remedial Action EXEs on this system checkbox, EventTracker displays confirmation message. Prism Microsystems, Inc. 52

54 7. Click the OK button, and click the Upgrade button. EventTracker displays information message. Figure Click the OK button. EventTracker displays System Status screen. Figure 77 Figure 78: System Status 9. Click the refresh button, to see the latest status as it may take some time to load the status of system. Prism Microsystems, Inc. 53

55 Figure 79 Prism Microsystems, Inc. 54

56 Upgrading from v7.1 to v7.2 Enterprise Before you start with the upgrade process Close/terminate all the EventTracker components like EventTracker Enterprise, EventTracker Control panel, including RDP (Remote Desktop Protocol) sessions. Upgrade Procedure Step 1: Close/terminate all the EventTracker Components Before you start with upgrade, it is very crucial to close/terminate all the EventTracker components present in the system, like EventTracker Enterprise, EventTracker Control Panel, and even RDP (Remote Desktop Protocol) session. During uninstall, If any of the EventTracker component is open then EventTracker asks you to close the program. Figure 80 Close the open component and then click the Retry button. EventTracker resumes uninstall process. Prism Microsystems, Inc. 55

57 Step 2: Uninstall version Click Start > Settings > Control Panel > Add or Remove Programs > EventTracker > and click the Remove button Control Panel displays the confirmation message. OR Figure 81 Click Start > Programs > Prism Microsystems > EventTracker > and click Uninstall EventTracker EventTracker will display the confirmation message. 2. Click the Yes button. EventTracker starts uninstall process. Figure 82 Figure 83 EventTracker displays, Uninstall EventTracker confirmation pop up window. Prism Microsystems, Inc. 56

58 Figure 84 By default the checkboxes are selected. Keep the default selection to retain the data and configurations. 3. Click the OK button. Step 3: Restart the EventTracker Manager Server or System 1. Close all the open applications on the desktop. 2. Click Start > click Shut Down 3. Select the Restart option from the dropdown, and then click the OK button. Step 4: Install EventTracker v7.2 Enterprise. For the details Installation process, please refer EventTracker v7.2 Enterprise Installation Guide. Link: Step 5: Configure the service accounts, if the archives/reports are stored in the network path. Click here to read Configure the service accounts section. Step 6: Verify that the Categories, Alerts, Filters, and RSS Feeds are intact Verify Category: 1. Log on to EventTracker Enterprise. 2. Click the Admin hyperlink, and click Category. EventTracker displays Category Management Page. 3. Search for the imported custom category under Category Tree tab. In addition, you can find the custom category on the right side of the page, in Last 10 modified categories list. Example: New Category Prism Microsystems, Inc. 57

59 OR Figure 85: Category Management Click the Search tab, enter the Category name in Search field, and then click the Go button. Figure 86 Prism Microsystems, Inc. 58

60 Verify Alerts: 1. Click the Admin hyperlink, and click Alerts. EventTracker displays Alert Management page. Figure 87: Alert Management 2. Enter the Alert name in Search Field,and click the Go button. Figure 88 To find Alerts in the list, you can make use of scroll bar and the page numbers provided at the bottom of Alert Management page. Prism Microsystems, Inc. 59

61 Verify Filters: 1. Click the Admin hyperlink, and click Event Filters. EventTracker displays Event Filters page. The newly imported filters are listed in this page. Figure 89: Event Filter Configuration 2. Click the Filter name to see the imported filter details. EventTracker displays Event Filter configuration page. Figure 90: Event Filter Configuration Verify RSS Feeds: 1. Click the Admin hyperlink, and click the RSS. 2. EventTracker displays RSS Feeds page. The newly imported RSS Feeds are listed in this page. Prism Microsystems, Inc. 60

62 Figure 91: RSS Feeds Step 7: Upgrade all Windows Agents using the System Manager EventTracker Agent upgrade is necessary to keep the agents up to date with the manager system. 1. Log on to EventTracker Enterprise. 2. Click the Admin hyperlink, and select Systems. EventTracker displays System Manager Page. 3. Right click the desired domain/group name, and select Upgrade agent. Figure 92: System Manager EventTracker displays Upgrade Remote Agent(s) pop-up window. Prism Microsystems, Inc. 61

63 OR Figure 93: Upgrade Agent Move the cursor on the remote systems name (where the agent is to be installed), click the dropdown arrow, and select Upgrade Agent. Figure 94: Upgrade Agent EventTracker displays Upgrade Remote Agent(s) pop-up window. Prism Microsystems, Inc. 62

64 Figure Select checkbox next to the remote system where the agent is to be upgraded, and click the Next button. Figure 96 NOTE: If you want to upgrade Change Audit agent then, select the checkbox in the Change Audit column. Prism Microsystems, Inc. 63

65 Figure Select Windows Domain Network option, and fill in the user credentials, OR Figure 98 Select the Upgrade over IP (Non Windows Domain) option. Prism Microsystems, Inc. 64

66 Figure Select Install default Remedial Action EXEs on this system checkbox, EventTracker displays confirmation message. Figure Click the OK button, and click the Upgrade button. EventTracker displays information message. 8. Click the OK button. EventTracker displays System Status screen. Figure 101 Prism Microsystems, Inc. 65

67 Figure 102 System Status 9. Click the refresh button, to see the latest status. NOTE: It may take some time to load the status. Figure 103 Step 8: Run KeywordMigration.exe file The keyword Indexer folder is restructured. To put the old indexed files into the new structure KeywordMigration.exe utility file has been provided along with build 7.2. This utility migrates the existing keyword files to the new structure. The path for utility file is <Install folder>\eventtrackerweb\bin\keywordmigration.exe Prism Microsystems, Inc. 66

68 Upgrading from v7.2 (Build 38) to v7.2 (any build) The procedure to upgrade from v7.2 (build 38) to v7.2 (any build) is same like upgrading from v7.1 to v7.2. For v7.2 (build 38) to v7.2 (any build) upgrade, please follow the detailed instructions given in the upgrading from v7.1 to v7.2 section. Prism Microsystems, Inc. 67

69 Configuring Service Accounts Configuring Service Accounts If the user is setting UNC path (Uniform Naming Convention) for storing Archives/Reports, then service account of EventTracker Scheduler, EventTracker EventVault, EventTracker Reporter, EventTracker Indexer & Event Correlator (if available) services should be made to run on the user account which will have full permission on the set UNC path. 1. Click the Start button, and select Run. 2. Type services.msc, and click the OK button. Figure In the Services window, search for EventTracker services. Figure Right click the service name, and click Properties. For example: Right click EventTracker EventVault service. EventTracker EventVault Properties (Local Computer) dialog box will appear on the screen. Prism Microsystems, Inc. 68

70 Configuring Service Accounts Figure Click Log On tab, and select This account option. Figure Enter the user credentials and correct password. The user name should be in domain name\user name format. 7. Click the Apply button. Warning message will be displayed on the desktop. Prism Microsystems, Inc. 69

71 Configuring Service Accounts 8. Click the OK button. Figure Click the OK button. 10. To run the service with new logon name, stop and start the service. 11. Likewise, for rest of the services, repeat step 4 to step 10 to change the service account. The Log On As column will display the changed service account name. Figure 109 Prism Microsystems, Inc. 70